COm_BOY wrote:I require a formal questionnaire which would be provided to the client used for penetration test .

If no one is having it how about if some of you guys list up some of questions which you might ask considering the fact that pen test is of network + web app .

Take a look at the OSSTMM pentest framework, or the PTES framework. If there's absolutely nothing within these..

These are some questions I might ask, to make my life easier as a Penetration Tester:- Where is the Web App hosted? In-house or outsourced?- Which operating system is hosting the Web App?- What kind of possible virtualization is being used on the Web App server?- Are you using any known CMS's and similar Web Apps, or are you using custom coded applications or a mix?- What type of database are you using, if any?- Which server-side language is used on the Web App server? (PHP? ASP?)- Are you using a well known webserver, if yes, which? If not, coded in-house or via 3rd party?- Any particular modules / add-ons you have installed on your webserver?- Is it possible for me / us to obtain a copy of the code you host on your webserver, so we can review it for vulnerabilities?

These are of course technical questions. You might ask these questions as well:- Are there any critical web applications, we should avoid using dangerous attacks on?- Is there a mirrored backup server, for us to test the web application(s)?

Well, there's a lot more and these are just some of my contributions. About networks in short: Topology, Switches, Routers, Protocols, etc.

Good luck, I hope some of these questions were useful even though you should use those you believe are the right to use

That really depends, are you talking about questions for a scoping exercise?

MaXe's questions are good, but before you get to that point you need to have a clear understanding of what they are trying to protect and why. What vectors are the likeliest threats? You want to model what the customer is most likely to face and attack the assets most likely to be attacked. What is the purpose of the test? Are you testing the blue team response times and capabilities or is this test announced? Not all pentests are created equal, you really need to understand the objectives before you can even begin to structure your test.

Some questions I like to ask include:

What is my target?What systems are in scope?What systems are off limits?When can I test?When must I never test?What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)Who is my PoC for the test?Is the test announced?Where can I test from? (internal, DMZ port, internet remote site, etc)

If doing a physical test, I like to know if the security guards are armed *gulp*

Also, if possible get copies of network diagrams, application maps, past risk assessments, audits and pentests relevant to the scope of your test. It will give you a good starting point and help you understand what you need to be doing and where the customer has been. Afterall, you are another step on their security journey and you want to move them further down the road, not backwards.

What is my target?What systems are in scope?What systems are off limits?When can I test?When must I never test?What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)Who is my PoC for the test?Is the test announced?Where can I test from? (internal, DMZ port, internet remote site, etc)

I completely agree that you should ask these questions first, when defining the scope

I've seen some really badly defined scopes before. One I saw read something like "Exploit discovered vulnerabilities on organization machines" with no further clarification. Problem is target organizations often don't even understand why they are getting the test done, other than PCI or similar.

tturner wrote:I've seen some really badly defined scopes before. One I saw read something like "Exploit discovered vulnerabilities on organization machines" with no further clarification. Problem is target organizations often don't even understand why they are getting the test done, other than PCI or similar.

Nice example :)

I agree that such a scope, is too vast and should be avoided. Even if it's a simulated black hat attack (with legal permission of course). A scope with no clearly defined targets, could be extremely large if it's a large enterprise corporation, that is undergoing a penetration test. (The 10'000 PC's example: If scanning all TCP ports is required, with one single machine, then it may take a very long time. Especially if all UDP ports has to be scanned too.)

Last edited by MaXe on Sun May 29, 2011 5:31 am, edited 1 time in total.